PROTECT AND SECURE
Interviews with computer security experts and consultants across the country—many of them young and brash but nonetheless well-informed—suggest that outside of a few regulated industries, such as banking and insurance, the majority of SMB CEOs have not taken sufficient steps to protect themselves. Hackers pursuing technical secrets may target startup companies in fields such as solar energy, genomics, pharmaceuticals, nanotechnology and other fields where American companies hold global advantage. More established companies that sell highly specialized equipment to aerospace and defense industries are also targeted.
Hackers don’t necessarily infiltrate smaller technology companies for what they have today—they may be more interested in what they can access once a smaller business establishes an alliance with a large company or is acquired. The cyber thieves can insert viruses and malware that lie dormant in a system until they are activated, which may be years later.
The attacking software can even work its way up through different levels of approval within a company’s system until it is accepted as legitimate. Other types of hackers seek information that can be sold on the “dark” Internet, the part that ordinary folks never see, and they go after the personal data of people who do business with hospitals, law firms or retailers.
The dark Internet is where hackers exchange code and brag about their exploits. The worst sort of hackers, however, are company insiders who have a beef with top management. They have security clearances—and axes to grind.
Most companies with less than $1 billion in sales a year cannot afford full-fledged IT departments with a dedicated chief security officer, and therefore may have only a handful of people managing a large, complex problem. Furthermore, when IT departments are aware that they have vulnerabilities and approach top management for funding to fix the problems, they are often denied that money. To compound matters, they fear that if they reveal too much about security gaps to their CEOs, they will be held responsible. “IT departments are way behind,” says Andrew Ostashen, co-founder of Boston-based Vulsec, another consultancy that specializes in smaller companies.
“They’re constantly climbing up the hill while the hackers are on top of the hill throwing rocks at them.” He notes that many SMBs have 10- and 12-year-old firewalls that cannot properly analyze the data flowing in and out of a company’s systems.
THE PEOPLE PROBLEM
One reality is that if the attackers can make direct contact with the people inside a company, they can almost certainly use employees’ social media postings to learn about their technological competencies and their personal interests. That helps them create special “come-on” messages, or phishes, that are so well-tailored that even a trained employee will click on an Internet link, introducing a virus or malware into the company’s systems. “The human is the weakest link,” says Ostashen, an “ethical hacker” who assaults companies’ systems to demonstrate their weaknesses. “If I can get to the human, I can almost always get in.” These types of attacks are also called remote social engineering attacks.
Another reality is that employees in all sizes of companies increasingly want to use their own smart phones or iPads to connect to their companies’ central nervous systems, whether from home or on the road. This creates another avenue the hackers can use if those communications are not encrypted. Employees who lose a company laptop loaded with sensitive information can create major problems.
Add it all up and it’s clear that CEOs of SMBs face a tremendous challenge in maintaining the vital flow of information and the creative exchanges among people inside their companies—and with business partners—without increasing the risk of getting hacked. And many are in denial about it, says Ostashen. “I go into a company and provide a roadmap for how to fix their problems, then go back six months later and find that the problems are actually worse,” he says. “Top management did not want to spend the money. They wanted to accept the risk.”